February brought to light four families of Mac malware: Intego discovered OSX/Shlayer, two RATs were found, and a popular Mac software download site distributed Trojanized versions of Firefox, OnyX, and Deeper.
Meanwhile: a single Telugu character allowed pranksters to crash iOS devices and Macs, Apple's T2 chip brings security improvements to the new iMac Pro, and a government contractor claims it can unlock any iOS device. Read on for these stories and more!
Intego researchers found OSX/Shlayer spreading via BitTorrent file sharing sites, appearing as a fake Flash Player update when a user attempted to select a link to copy a torrent magnet link. Of course, readers who don't search for torrents should still be wary; fake Flash Player alerts can be found in many places on the Web.
Intego observed variants of OSX/Shlayer downloading and installing OSX/MacOffers or OSX/Bundlore adware onto infected Macs.
Intego VirusBarrier was the first anti-virus software to detect this malware; its three variants are detected as OSX/Shlayer.A, OSX/Shlayer.B, and OSX/Shlayer.C. VirusBarrier also detects the secondary adware infections.
For more details about OSX/Shlayer, shell scripts, and code signing, see our featured article:
In preparation for a talk at an upcoming security conference, Wardle searched VirusTotal for a sample of malware that attempts to directly modify a macOS database file (TCC.db) to grant itself special permissions. He found a sample that was undetected by all 60 of VirusTotal's anti-virus engines but that nevertheless looked suspicious to a trained researcher's eye.
The RAT, which Intego VirusBarrier detects as OSX/Coldroot, has the capability of performing a number of functions for a remote attacker such as:
For more details about OSX/Coldroot including how to know whether your Mac is infected, and for a comparison with other recently discovered Mac RATs, see our featured article:
Coldroot wasn't the only RAT discovered in February.
Interestingly, in spite of including features that are overtly malicious in nature, EvilOSX is developed as open-source software that's freely available on GitHub, a popular software development repository.
This makes it relatively easy for any would-be attacker to download the software and use it to gain remote administrator privileges over someone else's Mac—as long as they can get physical access, or can trick a victim into installing the software.
An attacker can supposedly leverage EvilOSX to do things such as the following with a victim's Mac:
Intego detects this RAT as OSX/EvilOSX. For more details, see our featured article:
Evidently, attackers successfully tricked MacUpdate admins into changing the download links for the three apps by registering look-alike domain names. The attackers had repackaged the legitimate utilities and added a malicious payload to them: dropper malware that would download a cryptocurrency miner hosted on Adobe Creative Cloud servers.
If you're interested in all the technical details about the malware, you can read Patrick Wardle's write-up.
Intego VirusBarrier detects the infection's components as OSX/CreativeUpdater and OSX/Miner.
Apple says that its T2 chip includes "a Secure Enclave coprocessor that provides the foundation for new encrypted storage and secure boot capabilities."
Let's just hope that Apple's inclusion of a chip called "T2" doesn't mean that Judgment Day is nigh.
For more details, see our featured article:
The updates addressed only a single vulnerability, via which "a maliciously crafted string" of characters could cause memory corruption, leading to a crash or unstable state.
Interestingly, the bug may have been reported to Apple more than a month earlier; Apple seems to have reserved the bug's CVE number on January 2.
For more details on the updates, see our featured article:
Although this does not pose an immediate threat to iOS device users, it could potentially give hackers greater insight into how Apple's boot process works. Motherboard notes that past vulnerabilities in iBoot have enabled "jailbreakers and hackers to brute-force their way through the iPhone's lock screen and decrypt a user's data," but thanks to the Secure Enclave Processor and other modern enhancements, such a leak poses less risk today.
Motherboard later reported details about how the iBoot source code was leaked, allegedly through an intern who worked at Apple's Cupertino headquarters in 2016.
Rather than offering this feature via software to governments and law enforcement agencies, Cellebrite requires that agencies must physically send devices to the company. Presumably, Cellebrite's goal is to delay the inevitable: Apple eventually finding and patching the vulnerability that's being used to break into the devices.
Should privacy-conscious iOS users be worried? Perhaps not. Cryptography expert Bruce Schneier remarks that,
"There's... a credible rumor that Cellebrite's [methods] only defeat the mechanism that limits the number of password attempts. It does not allow engineers to move the encrypted data off the phone and run an offline password cracker. If this is true, then strong passwords are still secure."
There were other notable goings-on in the security world in February. Some highlights:
Be sure to subscribe to The Mac Security Blog to stay informed about Apple security throughout each month.
Also, each week we discuss Mac and iOS security news and other topics of interest on the Intego Mac Podcast. You'll want to subscribe in iTunes/Podcasts to make sure you don't miss any shows! Show notes are available at podcast.intego.com.
Last but not least, be sure to subscribe to the Intego YouTube channel to get informative video updates, and click on YouTube's bell icon (🔔) so you'll get notified when each new episode is available.
T2 chip image credit: Henriok. "Cold root" image composed by Joshua Long using public-domain images of roots and icicles.